Few days pass without a report detailing Australia’s and the local insurance industry’s cyber vulnerabilities.
This week, Recorded Future, a firm that describes itself as “the world’s largest intelligence company,” released what it calls its CVE Monthly report. The investigation analyses the top vulnerabilities disclosed by software vendors including Microsoft, Google and Apple. The company’s media release said vulnerabilities with some implication for Australia included 15 “high risk” concerns, some already the object of cyber attacks.
Meanwhile, Thales Cloud Security, a global technology firm with a presence in Australia, released its 2023 Thales Data Threat Report. This investigation found that more than one third of Australian organisations have experienced a data breach during the last year. The report also identified what it called “growing security concerns around the 5G network.”
Almost half of nearly 3,000 IT professionals and security experts surveyed, according to the report, “believe that security threats are increasing in volume or severity.”
In response to these ongoing reports, how should insurance companies approach dealing with their own vulnerabilities and those of their customers?
Brian Grant (pictured above), Thales’ ANZ regional director, said one important distinction insurers need to make is between cybersecurity and data security.
“In many cases, organisations incorrectly believe that if they have invested in cybersecurity then their data is secure,” said Melbourne based Grant. “Yet all too often, while everything around the data is secure, the data itself is left unprotected.”
He said it is critical to distinguish between the two because accessing data is one of the main reasons for a cyber attack.
Grant said another lesson organisations, including insurance companies, “must understand,” is that not all data is the same.
“It is important to categorise data based on sensitivity, criticality, and compliance requirements,” he said. “When it comes to securing this valuable data, a long-held oversight is that hiding it and anonymising it is enough.”
Grant said safeguarding this data is also about controlling access and ensuring that the right people are alerted quickly when something happens.
“The biggest challenge is that too few solutions promoting data security raise an alarm when data is at risk,” he said. “This capability is often missing but organisations don’t know they need it until it’s too late.”
He compares this data security challenge to home security.
“Imagine protecting a house simply by hiding the only key to access it in a safe,” said Grant. “Take that one step further and only give the safe code to people who are allowed to access the key.”
He said even with both of those security steps in place, what if someone finds a way to break into the house?
“It doesn’t matter how well hidden the key is or how strong the safe is, no one will be alerted to the break-in taking place,” said Grant.
Yet another cyber report – this one from IBM – found that, on average, criminals are actually inside a victim’s IT system for approximately 200 days before a cyber breach actually occurs.
In response to these challenges, Grant said strong data security depends on applying three controls.
“Make data safe by hiding it in plain sight,” he said. “Apply encryption, tokenisation, masking, or anonymisation to ensure sensitive information is not visible to unauthorised users or processes.”
He said data that cannot be easily viewed is less at risk. Grant said this data can also be moved or backed up with less risk of deliberate or accidental disclosure.
“Control who or what can access the data – ensure only authorised people or processes have access to the keys that unlock the safe,” said Grant. “While they may be authorised to access the room containing the safe, it does not automatically give them the right to access the cash.”
He said correct enforcement of data access reduces the risk of the stealing of sensitive data, its accidental disclosure or data tampering.
Grant said a firm needs to have proactive alerts that trigger a rapid response when data is threatened.
“If an unauthorised person or process tries to read or write to the data, good data security will stop it,” he said. “Without integrating threat response, data security may only delay the attack.”
If you’re an insurance professional, how do you approach cyber risks with your customers? Please tell us below.
